When you log in to Gmail in the very near future, you may spot another new alert trying to grab your attention. But unlike many other messages that you’d prefer to ignore when they pop up in your field of vision, this notification is definitely one worth thinking about.
As Frederic Lardinois reports for TechCrunch, Google will soon warn you when a message that lands in your Gmail inbox has arrived via an unencrypted connection. Gmail already defaults to using HTTPS for connections between your browser and its servers, but for a long time, the standard practice for sending messages between email providers was to leave them unencrypted. If someone managed to intercept those messages in transit, there was nothing to stop them from reading the contents.
Because unencrypted messages are such an easy target, over the past few years, Google and other email providers began to change that policy. Fifty-seven percent of messages that users on other email providers send to Gmail users are encrypted, and 81% of outgoing messages from Gmail are encrypted. Messages sent between Gmail accounts are always encrypted.
Research conducted jointly by Google, the University of Michigan, and the University of Illinois found that email security is improving, as researcher Elie Bursztein and engineer Nicolas Lidzborski explain in a blog post. From December 2013 to October 2015, the proportion of encrypted emails that Gmail received from other email providers rose from 33% to 61%.
And more receiving domains now have built in support for encryption, which has enabled the percentage of encrypted messages that are sent from Gmail to other email providers to increase from 60% to 80%. And 94% of inbound messages appearing in Gmail users’ inboxes are equipped with some kind of authentication, since technologies that protect against phishing and impersonation have “become the norm.”
However, the researchers also found that some portions of the Internet actively prevent message encryption by tampering with requests to initiate SSL connections. And malicious DNS servers try to intercept traffic by publishing “bogus routing information” to email servers looking for Gmail. Google explains that “these nefarious servers are like telephone directories that intentionally list misleading phone numbers for a given name,” and, while rare, this sort of attack could enable third parties to censor or alter messages before they make it to the recipient.
While those threats don’t affect Gmail-to-Gmail communication, they do affect messages sent between email providers. And as Google’s researchers note, “Security threats won’t disappear, but studies like these enable providers across the industry to fight them with better, more powerful protections today and going forward.” So Gmail will notify users of the potential dangers by displaying a warning when they receive a message through a non-encrypted connection. Google reports that “these warnings will begin to roll out in the coming months.”
Because so many email servers still don’t support encryption, you’ll likely see a warning or two in the next few months. And unlike the many alerts and notifications that pop up throughout the day in the apps you use most, this one is worth understanding and paying attention to when it does appear in your inbox. As users begin to see the notifications, the warnings will likely enable users to be more aware of suspicious messages, and could even increase consumer demand for encryption.
As Cory Bennett reports for The Hill, tech companies and the federal government have been fighting over encryption standards since the Snowden leaks. After the revelation of widespread surveillance, major tech companies — including Google, Apple, and Microsoft — began encrypting as much consumer data as possible in order to keep it out of surveillance agencies’ hands. Law enforcement officials have pushed back, claiming that encryption prevents investigators from accessing the digital information and messages of suspects, even when they’ve obtained a warrant.
Despite the demands of FBI director James Comey — who called for some form of guaranteed access to encrypted data for law enforcement — the White House hasn’t pushed for legislation that would mandate that companies build in an entry point for law enforcement officials. Legislators are still working with individual companies to come up with a solution that would enable access without leaving data exposed to hackers and malicious third parties.